React Email

Patch Changes

• Updated dependencies [16ff94c]
  • react-email@6.6.0

Minor Changes

• 16ff94c: add a useTitleTag in Preview component so users can disable it if they want to

Minor Changes

• 3875d2a: add a --clients option to email dev and a COMPATIBILITY_EMAIL_CLIENTS environment variable to narrow which email clients trigger compatibility warnings. By default the preview still warns for gmail, apple-mail, outlook, and yahoo. Teams that only target one or two clients can now skip the noise: email dev --clients outlook,apple-mail. The CLI flag wins over the env var; an empty or fully-invalid list falls back to the defaults so warnings can't be silently switched off. Builds on #2797 by @ReemX.

Minor Changes

• 3875d2a: add a --clients option to email dev and a COMPATIBILITY_EMAIL_CLIENTS environment variable to narrow which email clients trigger compatibility warnings. By default the preview still warns for gmail, apple-mail, outlook, and yahoo. Teams that only target one or two clients can now skip the noise: email dev --clients outlook,apple-mail. The CLI flag wins over the env var; an empty or fully-invalid list falls back to the defaults so warnings can't be silently switched off. Builds on #2797 by @ReemX.

Patch Changes

• d47825a: Add accessibility defaults to components: dir/lang on Body, an empty alt fallback on Img, role="presentation" on the Markdown table, and a <title> from Preview.

Patch Changes

• Updated dependencies [d47825a]
• Updated dependencies [3875d2a]
  • react-email@6.5.0

Patch Changes

• 0963d30: scrub javascript:, vbscript:, and non-image data: URLs from pasted HTML and drop script, iframe, object, embed, meta, and base elements. This pass now runs on every paste; previously, content carrying the editor's node-* class marker took a fast-path that skipped sanitization entirely and could be spoofed by hosting attacker HTML with the same class name. Legitimate intra-editor copy/paste still round-trips class, style, and data-* attributes as before.

Minor Changes

• ba99365: resolve and strip unresolved --tw-* CSS variables in non-inlinable rules so Tailwind media query utilities no longer break Gmail

Patch Changes

• Updated dependencies [ba99365]
  • react-email@6.4.0

Minor Changes

• 3353e03: expose the unformatted (non-prettified) HTML from composeReactEmail as a new unformattedHtml field on the result. The existing html field is unchanged and still Prettier-formatted. Consumers that persist or send the email should prefer unformattedHtml, since pretty() indentation can inflate the byte size by 5–10× on deeply-nested table layouts (e.g. exports from Stripo or Mailchimp) and pushes the output past Gmail's 102 KB clipping threshold.

Patch Changes

• 86745ec: reject paths that resolve outside the configured emails directory in renderEmailByPath and getEmailPathFromSlug to close a path-traversal vector in the preview server

Patch Changes

• f355fba: prevent prototype pollution in the email-theming plugin by building cssJS and merged theme objects from Object.create(null) so attacker-controlled __proto__, constructor, or prototype keys in panel-style input become regular own properties instead of mutating Object.prototype
  • react-email@6.3.3

Patch Changes

• fbda5c8: increase whitespace padding to 200 characters for better Gmail preview text rendering

Patch Changes

• Updated dependencies [fbda5c8]
  • react-email@6.3.2

Patch Changes

• 27587f1: stop accepting the emails directory path as a server-action argument

  The getEmailsDirectoryMetadataAction server action used to take an absolute filesystem path from the client and walk that directory on the server, which allowed any caller of the endpoint to enumerate arbitrary directories on the host. The action now reads the path from the server-only REACT_EMAIL_INTERNAL_EMAILS_DIR_ABSOLUTE_PATH env variable and ignores client input.

Patch Changes

• c610dc0: fix: padding in Container/Section failing on Klaviyo and Outlook desktop

Patch Changes

• Updated dependencies [c610dc0]
  • react-email@6.3.1